Computer malware, such as viruses, worms and Trojan horses, presents one of the most significant security threats to computer systems. For example, it is estimated that yearly financial losses of U.S. businesses caused by malware is in the tens of billions of dollars. To combat the increasing spread of computer malware, a number of antivirus detection techniques have been developed. One of the most effective techniques for detecting computer malware is a heuristic analysis of computer programs. Heuristic analysis is a behavior-based technique in which a computer program is emulated in a secure computer environment, e.g. a virtual computer, thereby simulating what would happen if the program were to be executed while keeping the suspicious code isolated from the real-world machine. Behavior of the emulated program is analyzed for common malicious actions such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more malicious actions are detected, the program is flagged as potential malware. This analysis enables detection of various classes of malware.
Heuristic analysis techniques, however, may fail to detect some forms of a newly emerging breed of multi-component malware. During execution, multi-component malware launches several executable components, such as subprograms, numerous parallel processes and remote threads, of the main computer program. Some components may exhibit benign behavior attributable to non-malware programs in order to fool antivirus software into concluding that the program is harmless, while other components may be malicious. By emulating each of the executable components and performing heuristic analysis thereof, the multi-component malware may be detected. However, a heuristic analysis may fail to detect malware in which the malicious code is distributed between several executable components, wherein each executable component may exhibit signs of benign behavior, while the overall actions of the program are malicious. Accordingly, there is a need for detecting such multi-component malware.